pfSense: pfSense-SA-24_03.webgui: Multiple XSS vulnerabilities in the WebGUI
Description
Multiple potential Cross-Site Scripting (XSS) vulnerabilities were found in PHP error display formatting. PHP error messages are plain text, not HTML, but the GUI formats them as HTML when displaying errors in-line on all pages. The PHP Error log display function on crash_reporter.php also also displays the PHP Error log file content without encoding. Additionally, PHP prints function arguments in the stack trace which may contain user input. This problem is present on pfSense Plus version 23.09.1, pfSense CE version 2.7.2, and earlier versions of both. Combined, these issues have a potential to lead to an XSS if the user can login, trigger a PHP error, and influence the arguments displayed in the stack trace. Due to the lack of proper encoding on the affected output susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. Only the first 15 characters of user input are printed in the function arguments, severely limiting the potential exposure.
Solution(s)
- pfsense-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center